From 4bc9410c0cf5079219bdfa3295d83dfacefe1bb2 Mon Sep 17 00:00:00 2001 From: Michal Marek Date: Fri, 25 Jan 2013 13:41:12 +1030 Subject: MODSIGN: Specify the hash algorithm on sign-file command line Make the script usable without a .config file. Signed-off-by: Michal Marek Acked-by: David Howells Signed-off-by: Rusty Russell --- scripts/sign-file | 53 ++++++++++++++++------------------------------------- 1 file changed, 16 insertions(+), 37 deletions(-) (limited to 'scripts/sign-file') diff --git a/scripts/sign-file b/scripts/sign-file index 974a20b661b7..2c2bbd18ff44 100755 --- a/scripts/sign-file +++ b/scripts/sign-file @@ -4,7 +4,7 @@ # # Format: # -# ./scripts/sign-file [-v] [] +# ./scripts/sign-file [-v] [] # # use strict; @@ -17,35 +17,19 @@ if ($#ARGV >= 0 && $ARGV[0] eq "-v") { shift; } -die "Format: ./scripts/sign-file [-v] []\n" - if ($#ARGV != 2 && $#ARGV != 3); +die "Format: ./scripts/sign-file [-v] []\n" + if ($#ARGV != 3 && $#ARGV != 4); -my $private_key = $ARGV[0]; -my $x509 = $ARGV[1]; -my $module = $ARGV[2]; -my $dest = ($#ARGV == 3) ? $ARGV[3] : $ARGV[2] . "~"; +my $dgst = $ARGV[0]; +my $private_key = $ARGV[1]; +my $x509 = $ARGV[2]; +my $module = $ARGV[3]; +my $dest = ($#ARGV == 4) ? $ARGV[4] : $ARGV[3] . "~"; die "Can't read private key\n" unless (-r $private_key); die "Can't read X.509 certificate\n" unless (-r $x509); die "Can't read module\n" unless (-r $module); -# -# Read the kernel configuration -# -my %config = ( - CONFIG_MODULE_SIG_SHA512 => 1 - ); - -if (-r ".config") { - open(FD, "<.config") || die ".config"; - while () { - if ($_ =~ /^(CONFIG_.*)=[ym]/) { - $config{$1} = 1; - } - } - close(FD); -} - # # Function to read the contents of a file into a variable. # @@ -321,51 +305,46 @@ my $id_type = 1; # Identifier type: X.509 # # Digest the data # -my ($dgst, $prologue) = (); -if (exists $config{"CONFIG_MODULE_SIG_SHA1"}) { +my $prologue; +if ($dgst eq "sha1") { $prologue = pack("C*", 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14); - $dgst = "-sha1"; $hash = 2; -} elsif (exists $config{"CONFIG_MODULE_SIG_SHA224"}) { +} elsif ($dgst eq "sha224") { $prologue = pack("C*", 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1C); - $dgst = "-sha224"; $hash = 7; -} elsif (exists $config{"CONFIG_MODULE_SIG_SHA256"}) { +} elsif ($dgst eq "sha256") { $prologue = pack("C*", 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20); - $dgst = "-sha256"; $hash = 4; -} elsif (exists $config{"CONFIG_MODULE_SIG_SHA384"}) { +} elsif ($dgst eq "sha384") { $prologue = pack("C*", 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30); - $dgst = "-sha384"; $hash = 5; -} elsif (exists $config{"CONFIG_MODULE_SIG_SHA512"}) { +} elsif ($dgst eq "sha512") { $prologue = pack("C*", 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40); - $dgst = "-sha512"; $hash = 6; } else { - die "Can't determine hash algorithm"; + die "Unknown hash algorithm: $dgst\n"; } # # Generate the digest and read from openssl's stdout # my $digest; -$digest = readpipe("openssl dgst $dgst -binary $module") || die "openssl dgst"; +$digest = readpipe("openssl dgst -$dgst -binary $module") || die "openssl dgst"; # # Generate the binary signature, which will be just the integer that comprises -- cgit v1.2.3 From 1c37c054a7493e0537ea3d15a59dac3a0aa63a05 Mon Sep 17 00:00:00 2001 From: Michal Marek Date: Fri, 25 Jan 2013 13:41:19 +1030 Subject: MODSIGN: Add -s option to sign-file This option allows to append an externally computed singature to the module. This is needed in setups, where the private key is not directly available, but a service exists that returns signatures for given files. Signed-off-by: Michal Marek Acked-by: David Howells Signed-off-by: Rusty Russell --- scripts/sign-file | 99 +++++++++++++++++++++++++++++++------------------------ 1 file changed, 56 insertions(+), 43 deletions(-) (limited to 'scripts/sign-file') diff --git a/scripts/sign-file b/scripts/sign-file index 2c2bbd18ff44..2b7c4484d46c 100755 --- a/scripts/sign-file +++ b/scripts/sign-file @@ -2,31 +2,41 @@ # # Sign a module file using the given key. # -# Format: -# -# ./scripts/sign-file [-v] [] -# -# + +my $USAGE = +"Usage: scripts/sign-file [-v] []\n" . +" scripts/sign-file [-v] -s []\n"; + use strict; use FileHandle; use IPC::Open2; +use Getopt::Std; -my $verbose = 0; -if ($#ARGV >= 0 && $ARGV[0] eq "-v") { - $verbose = 1; - shift; -} +my %opts; +getopts('vs:', \%opts) or die $USAGE; +my $verbose = $opts{'v'}; +my $signature_file = $opts{'s'}; -die "Format: ./scripts/sign-file [-v] []\n" - if ($#ARGV != 3 && $#ARGV != 4); +die $USAGE if ($#ARGV > 4); +die $USAGE if (!$signature_file && $#ARGV < 3 || $signature_file && $#ARGV < 2); -my $dgst = $ARGV[0]; -my $private_key = $ARGV[1]; -my $x509 = $ARGV[2]; -my $module = $ARGV[3]; -my $dest = ($#ARGV == 4) ? $ARGV[4] : $ARGV[3] . "~"; +my $dgst = shift @ARGV; +my $private_key; +if (!$signature_file) { + $private_key = shift @ARGV; +} +my $x509 = shift @ARGV; +my $module = shift @ARGV; +my ($dest, $keep_orig); +if (@ARGV) { + $dest = $ARGV[0]; + $keep_orig = 1; +} else { + $dest = $module . "~"; +} -die "Can't read private key\n" unless (-r $private_key); +die "Can't read private key\n" if (!$signature_file && !-r $private_key); +die "Can't read signature file\n" if ($signature_file && !-r $signature_file); die "Can't read X.509 certificate\n" unless (-r $x509); die "Can't read module\n" unless (-r $module); @@ -340,33 +350,36 @@ if ($dgst eq "sha1") { die "Unknown hash algorithm: $dgst\n"; } -# -# Generate the digest and read from openssl's stdout -# -my $digest; -$digest = readpipe("openssl dgst -$dgst -binary $module") || die "openssl dgst"; - -# -# Generate the binary signature, which will be just the integer that comprises -# the signature with no metadata attached. -# -my $pid; -$pid = open2(*read_from, *write_to, - "openssl rsautl -sign -inkey $private_key -keyform PEM") || - die "openssl rsautl"; -binmode write_to; -print write_to $prologue . $digest || die "pipe to openssl rsautl"; -close(write_to) || die "pipe to openssl rsautl"; - -binmode read_from; my $signature; -read(read_from, $signature, 4096) || die "pipe from openssl rsautl"; -close(read_from) || die "pipe from openssl rsautl"; +if ($signature_file) { + $signature = read_file($signature_file); +} else { + # + # Generate the digest and read from openssl's stdout + # + my $digest; + $digest = readpipe("openssl dgst -$dgst -binary $module") || die "openssl dgst"; + + # + # Generate the binary signature, which will be just the integer that + # comprises the signature with no metadata attached. + # + my $pid; + $pid = open2(*read_from, *write_to, + "openssl rsautl -sign -inkey $private_key -keyform PEM") || + die "openssl rsautl"; + binmode write_to; + print write_to $prologue . $digest || die "pipe to openssl rsautl"; + close(write_to) || die "pipe to openssl rsautl"; + + binmode read_from; + read(read_from, $signature, 4096) || die "pipe from openssl rsautl"; + close(read_from) || die "pipe from openssl rsautl"; + waitpid($pid, 0) || die; + die "openssl rsautl died: $?" if ($? >> 8); +} $signature = pack("n", length($signature)) . $signature, -waitpid($pid, 0) || die; -die "openssl rsautl died: $?" if ($? >> 8); - # # Build the signed binary # @@ -403,6 +416,6 @@ print FD ; close FD || die $dest; -if ($#ARGV != 3) { +if (!$keep_orig) { rename($dest, $module) || die $module; } -- cgit v1.2.3